This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH 2/4] S390: Use own tbegin macro instead of __builtin_tbegin.

From: Stefan Liebler <stli at linux dot vnet dot ibm dot com>
To: libc-alpha at sourceware dot org
Date: Fri, 13 Jan 2017 17:22:20 +0100
Subject: Re: [PATCH 2/4] S390: Use own tbegin macro instead of __builtin_tbegin.
Authentication-results: sourceware.org; auth=none
References: <1481032315-12420-1-git-send-email-stli@linux.vnet.ibm.com> <1481032315-12420-2-git-send-email-stli@linux.vnet.ibm.com> <1484066072.5606.219.camel@redhat.com> <c8041b4f-f7b4-f3a7-18b5-46833eb4e9b3@redhat.com> <1484306928.5606.291.camel@redhat.com> <4210b688-e05a-09fb-608e-471097e6feb0@redhat.com> <1484321557.5606.300.camel@redhat.com>

On 01/13/2017 04:32 PM, Torvald Riegel wrote:

On Fri, 2017-01-13 at 15:50 +0100, Florian Weimer wrote:

On 01/13/2017 12:28 PM, Torvald Riegel wrote:

On Thu, 2017-01-12 at 16:45 +0100, Florian Weimer wrote:

On 01/10/2017 05:34 PM, Torvald Riegel wrote:

(2) This introduces a facility to probe memory for being accessible or
not, considering that you say it masks segfaults.  It seems that this
probing may not be visible to the same extent as possible if a signal
handler were installed.  Is this relevant from a security perspective?


If the fallback implementation has essentially the same behavior, I
don't think there is a transaction-specific security problem.


We don't know what the fallback implementation in the user code does.
It can detect whether it is running in a HW transaction and run
different code depending on that.

Yes, the user can detect if it is running within a transaction (e.g.with the __builtin_tx_nesting_depth like used in elision_trylock).With non transactional stores, he could also store something even if thetransaction aborts.


Is this really supported?  I assumed that if you acquire a lock (which
might use elision), hardware transactions are off limits because glibc
might require their use internally.

If someone starts a transaction within a transaction, then the nestingdepth is incremented. If the outermost transaction is ended, the changesare committed.


You can check whether you run in a transaction.  That's no guarantee
that that transaction has been started by the elision code, but you can
check that nonetheless.

HW transactions must be usable regardless of whether something else uses
elision or not.  One of course shouldn't just commit transactions that
one did not start, though.

You are right, but this is possible.


Anyway, I'm not sure whether this gives user code more means to exploit
or probe something, or not.  Maybe I was just too cautious here.

That's correct, you can probe something.

But if someone wants to do that, he can also start a transactiondirectly without pthread_mutex_lock.

Follow-Ups:
- Re: [PATCH 2/4] S390: Use own tbegin macro instead of __builtin_tbegin.
  - From: Torvald Riegel

References:
- Re: [PATCH 2/4] S390: Use own tbegin macro instead of __builtin_tbegin.
  - From: Torvald Riegel
- Re: [PATCH 2/4] S390: Use own tbegin macro instead of __builtin_tbegin.
  - From: Florian Weimer
- Re: [PATCH 2/4] S390: Use own tbegin macro instead of __builtin_tbegin.
  - From: Torvald Riegel
- Re: [PATCH 2/4] S390: Use own tbegin macro instead of __builtin_tbegin.
  - From: Florian Weimer
- Re: [PATCH 2/4] S390: Use own tbegin macro instead of __builtin_tbegin.
  - From: Torvald Riegel

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]